From owner-freebsd-current@FreeBSD.ORG Mon Jun 12 03:12:42 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F24D16A418 for ; Mon, 12 Jun 2006 03:12:42 +0000 (UTC) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id E17A443D45 for ; Mon, 12 Jun 2006 03:12:41 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=[192.168.0.18]) by publicd.ub.mng.net with esmtpa (Exim 4.61 (FreeBSD)) (envelope-from ) id 1Fpcqv-000Gwg-EY; Mon, 12 Jun 2006 12:12:33 +0900 Message-ID: <448CDBA0.2010203@micom.mng.net> Date: Mon, 12 Jun 2006 12:12:32 +0900 From: Ganbold User-Agent: Thunderbird 1.5.0.2 (X11/20060425) MIME-Version: 1.0 To: Vadim Goncharov References: In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-current@freebsd.org" Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 03:12:42 -0000 Vadim Goncharov wrote: > Hello All! > > I wrote new netgraph(4) node, called ng_tag, able to match packets by > their mbuf_tags(9) and assign new tags to mbufs. This can be used for > many things in the kernel network subsystem, but particularly useful > with recently added ipfw(8) tag/tagged functionality (will be MFCed to > RELENG_6 after Jun 24). > > With this node, in conjunction with ng_bpf(4), I was able to match and > block (perhaps shaping is also possible, but this relies solely on > ipfw) DirectConnect P2P data connections traffic - you know, they're > using random ports, so you can't match them with usual firewall rules > and must check data payload contents of the packets. See man page for > example of how to do this. > > Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/ > Then do: > > make > kldload ./ng_tag.ko > > Man page can be viewed as: > > cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char -man \ > -Tascii | /usr/bin/col | more -s > > Please especially test tags with non-zero tag_len, if you can (though > it's > not needed for ipfw). > > P.S. BTW, what is correct subject prefix for new contributions? I think > [PATCH] is not correct as these are new files, not patch :) You mentioned about L7 filtering possibility, is it possible to filter skype, msn, yahoo messenger traffics using ng_tag? If you can put some additional examples how to block above that would be great. This is just my thought. thanks, Ganbold > > --WBR, Vadim Goncharov > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > >